1 / 53

System Modeling and Verification with UCLID

Explore data abstraction methods, restricted first-order logic, and efficient decision procedures for verifying hardware correctness in systems like pipelines, caches, and memory queues. Understand abstracting data, control logic, and data-dependent control for thorough system validation.

hdobbs
Download Presentation

System Modeling and Verification with UCLID

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. System Modeling and Verification withUCLID http://www.cs.cmu.edu/~uclid Randal E. Bryant http://www.cs.cmu.edu/~bryant Contributions by graduate students: Sanjit Seshia, Shuvendu Lahiri

  2. Applying Data Abstraction to Hardware Verification • Idea • Abstract details of data encodings and operations • Keep control logic precise • Applications • Verify overall correctness of system • Assuming individual functional units correct • Technology • Use restricted subset of first-order logic • Implement efficient decision procedures • Multiple methods of performing verification

  3. Example: HP/Compaq Alpha 21264 • Pipeline State • Multiple caches • Instruction queues • Dynamically-allocated registers • Memory queue • Many buffers between stages • Verification Tasks • Does it implement the Alpha ISA? Microprocessor Report, Oct. 28, 1996

  4. x Abstracting Data from Bits to Integers x0 x1 • View Data as Symbolic “Terms” • Arbitrary integers • Verification proves correctness of design for all possible word sizes • Can store in memories & registers x2 xn-1

  5. Required Logic • Scalar Data Types • Formulas (F ) Boolean Expressions • Control signals • Terms (T ) Integer Expressions • Data values • Arbitrary values from some infinite domain

  6. p T F x 1 0 ITE(p, x, y) x x 1 0 1 0 y x y y y Modeling Data Selection • If-Then-Else Operation • Mulitplexor • Allows control-dependent data flow

  7. ALU Abstraction Via Uninterpreted Functions • For any Block that Transforms or Evaluates Data: • Replace with generic, unspecified function • Only assumed property is functional consistency: a = x b = y f(a, b) = f(x, y) f

  8. IF/ID ID/EX EX/WB PC Control Control Op Instr Mem Rd Ra = Adat Reg. File ALU Imm +4 = Rb Abstraction Via Uninterpreted Functions • For any Block that Transforms or Evaluates Data: • Replace with generic, unspecified function • Also view instruction memory as function F3 F2 F1

  9. Modeling Data-Dependent Control Cond • Model by Uninterpreted Predicate • Yields arbitrary Boolean value for each control + data combination • Produces same result when arguments match • Pipeline & reference model will branch under same conditions Adata p Branch Logic Branch? Bdata

  10. Memory M Modeled as Function M(a): Value at location a Initially Arbitrary state Modeled by uninterpreted function m0 Writing Transforms Memory M = Write(M, wa, wd) a . ITE(a = wa, wd, M(a)) Future reads of address wa will get wd M a M wa = M wd a m0 M a 1 0 Modeling Memories as Mutable Functions

  11. Required Logic • Scalar Data Types • Formulas (F ) Boolean Expressions • Control signals • Terms (T ) Integer Expressions • Data values • Functional Data Types • Functions (Fun) Integer  Integer • Immutable: Functional units • Mutable: Memories • Predicates (P) Integer  Boolean • Immutable: Data-dependent control • Mutable: Bit-level memories

  12. • • • • • Modeling Unbounded FIFO Buffer Already Popped • Queue is Subrange of Infinite Sequence • Q.head = h • Index of oldest element • Q.tail = t • Index of insertion location • Q.val = q • Function mapping indices to values • q(i) valid only when hi < t • Required Operations • Increment head & tail pointers • Compare head to tail (emptiness) q(h–2) q(h–1) head q(h) q(h+1) • • • increasing indices q(t–2) q(t–1) tail q(t) q(t+1) Not Yet Inserted

  13. CLU Logic • Counter Arithmetic, and Lambda Expressions and Uinterpreted Functions • Terms (T ) Integer Expressions ITE(F, T1, T2) If-then-else Fun (T1, …, Tk) Function application succ (T) Increment pred (T) Decrement • Formulas (F ) Boolean Expressions F, F1F2, F1F2 Boolean connectives T1 = T2 Equation T1 < T2 Inequality P(T1, …, Tk) Predicate application

  14. CLU Logic (Cont.) • Functions (Fun) Integer  Integer f Uninterpreted function symbol  x1, …, xk . T Function definition • Predicates (P) Integer  Boolean p Uninterpreted predicate symbol  x1, …, xk . F Predicate definition

  15. e 1 f T F Ù e Ø 0 = x f 0 T Ú = F T F d 0 Decision Problem • Logic of Equality with Uninterpreted Functions • Truth Values • Dashed Lines • Model Control • Logical connectives • Equations • Integer Values • Solid lines • Model Data • Uninterpreted functions • If-Then-Else operation • Task • Determine whether formula is universally valid • True for all interpretations of variables and function symbols

  16. e 1 f T x0 d0 f(x0) f(d0) F Ù e Ø 0 = x f 0 T Ú = F T F d 0 Finite Model Property for EUF • Observation • Any formula has limited number of distinct expressions • Only property that matters is whether or not different terms are equal

  17. Boolean Encoding of Integer Values • For Each Expression • Either equal to or distinct from each preceding expression • Boolean Encoding • Use Boolean values to encode integers over small range • EUF formula can be translated into propositional logic • Tautology iff original formula valid

  18. y –1 x x y –1 y –1 y –1 x x y –1 x x+1 y x+1 y y y x+1 x+1 y x+1 x = 0, y = 3 x = 2, y = 1 Finite Model Property for CLU x  y  succ(x) > pred(y) • Observation • Need to encode all possible relative orderings of expressions • Each symbolic value has maximum range of increments & decrements • Can use Boolean encodings of small integer ranges

  19. Symbolic Simulation UCLID Operation file.ucl UCLID Formula Model + Specification • Operation • Series of transformations leading to propositional formula • Each has polynomial complexity Lambda Expansion -free Formula Function & Predicate Elimination Term Formula Finite Instantiation Boolean Formula Boolean Satisfiability

  20. pc fd de mw em Branch Arg1 Target Arg2 pRF pMem Value Instr Instr Arg2 Type Type Data Instr pPC PC PC Dest Type Valid Valid Valid Valid UCLID Example Boolean state Term state • DLX Pipeline • Single-issue, 5-stage pipeline Function state Pipeline Write Back Fetch Decode Execute Memory

  21. Write Back Decode fd de mw Arg1 src1 pRF Arg2 Instr src2 Data Dest Valid Writing & Reading Register File

  22. mw Data Dest Valid Writing Register File init[pRF] := rf0; (* Uninterpreted Function *) next[pRF] := Lambda(a) . case mw_Valid & (a = mw_Dest) : mw_Data; default : pRF(a); esac; Write Back pRF

  23. fd de Arg1 Decode Arg2 Instr src1 pRF src2 Reading Register File init[de_Arg1] := dea10; (* Initially arbitary *) next[de_Arg1] := next[pRF](src1(fd_Instr)); init[de_Arg2] := dea20; (* Initially arbitary *) next[de_Arg2] := next[pRF](src2(fd_Instr)); Write-after-read semantics

  24. Present State Next State  Inputs (Arbitrary) Verifying Safety Properties • Prove: System will never reach bad state Bad States Reachable States Reset States Reset

  25. Reachable Rn • • • Bounded Model Checking Bad States • Repeatedly Perform Image Computations • Set of all states reachable by one more state transition • Easy to Implement • Underapproximation of Reachable State Set • But, typically catch most bugs with 8–10 steps R2 R1 Reset States

  26. Reach Fixed-Point Rn = Rn+1 = Reachable Impractical for Term-Level Models Many systems never reach fixed point Can keep adding elements to buffer Convergence test undecidable  Rn • • • True Model Checking Bad States R2 R1 Reset States

  27. I Invariant Checking Bad States • Key Properties of System that Make it Operate Correctly • Formulate as formula I • Prove Inductive • Holds initially I(s0) • Preserved by all state changes I(s)  I((i, s)) Reachable States Reset States

  28. An Out-of-order Processor (OOO) valid tag val D E C O D E incr dispatch • Data Dependencies Resolved by Register Renaming • Map register ID to instruction in reorder buffer that will generate register value • Inorder Retirement Managed by Retirement Buffer • FIFO buffer keeping pending instructions in program order Program memory valid value src1valid src1val src1tag src2valid src2val src2tag dest op result PC Register Rename Unit 1st Operand result bus retire 2nd Operand ALU execute Reorder Buffer head tail Reorder Buffer Fields

  29. ISA Reg. File PC OOO Reg. File PC Reorder Buffer Verifying OOO • Lahiri, Seshia, & Bryant, FMCAD 2002 • Goal • Each step of OOO consistent with Instruction Set Architecture (ISA) model • Challenges • OOO holds partially executed instructions in reorder buffer • States of two systems match only when reorder buffer flushed

  30. ISA Reg. File PC Adding Shadow State • McMillan, ‘98 • Arons & Pnueli, ‘99 • Provides Link Between ISA & OOO Models • Additional entries in ROB • Do not affect OOO behavior • Generated when instruction dispatched • Predict values of operands and result • From ISA model OOO Reg. File PC Reorder Buffer

  31. State Consistency Invariants • Tag Consistency invariants (2) • Instructions only depend on instruction preceding in program order • Register Renaming invariants (2) • Tag in a rename-unit should be in the ROB, and the destination register should match r.reg.valid(r) (rob.head  reg.tag(r) < rob.tail  rob.dest(reg.tag(r)) = r ) • For any entry, the destination should have reg.valid as false and tag should contain this or later instruction robt.(reg.valid(rob.dest(t))  t  reg.tag(rob.dest(t)) < rob.tail)

  32. OOO Invariants • Split into Formulas I1, …, In • Ij(s0) holds for any initial state s0, for 1 jn • I1(s)  I2(s)  … In(s)  Ij(s ) for any current state s and successor state s for 1 jn • Invariants for OOO (13) • Refinement maps (2) • Show relation between ISA and OOO models • Shadow state (3) • Shadow values correctly predict OOO values • State consistency (8) • Properties of OOO state that ensure proper operation • Overall Correctness • Follows by induction on time

  33. Proving OOO Invariants • Proved Automatically • Time spent = 54s on 1.4GHz machine • Total effort = 2 person days • Comparison • Previous efforts using theorem provers took weeks of effort

  34. Extending the OOO Processor • base • Executes ALU instructions only • exc • Handles arithmetic exceptions • Must flush reorder buffer • exc/br • Handles branches • Predicts branch & speculatively executes along path • exc/br/mem-simp • Adds load & store instructions • Store commits as instruction retires • exc/br/mem • Stores held in buffer • Can commit later • Loads must scan buffer for matching addresses

  35. Comparative Verification Effort

  36. “I Just Want a Loaf of Bread” Ingredients Result Recipe

  37. Cooking with Invariants Ingredients: Predicates rob.head  reg.tag(r) Recipe: Invariants r,t.reg.valid(r)  reg.tag(r) = t  (rob.head  reg.tag(r) < rob.tail rob.dest(t) = r ) reg.valid(r) Result: Correctness reg.tag(r) = t rob.dest(t) = r

  38. Automatic Recipe Generation Ingredients • Want Something More • Given any set of ingredients • Generate best recipe possible Result Recipe Creator

  39. Automatic Predicate Abstraction • Graf & Saïdi, CAV ‘97 • Idea • Given set of predicates P1(s), …, Pk(s) • Boolean formulas describing properties of system state • View as abstraction mapping: States {0,1}k • Defines abstract FSM over state set {0,1}k • Form of abstract interpretation • Do reachability analysis similar to symbolic model checking • Prior Implementations • Very weak inference capabilities • Call theorem prover or decision procedure to test each potential transition • Little support for quantified predicates

  40. P1(s), …, Pk(s) Abstraction Function  Concretization Function  s t s t Abstract State Space Abstraction Concretization Abstract States Abstract States Concrete States Concrete States

  41. Abstract Transition Concretize  Abstract  Concrete Transition s s t t Abstract State Machine • Transitions in abstract system mirror those in concrete Abstract System Concrete System

  42. A I Rn • • • R2 R1 Reset States Concretize  C Concrete System Reset States Generating Concrete Invariant • Reach Fixed-Point on Abstract System • Termination guaranteed, since finite state • Equivalent to Computing Invariant for Concrete System • Strongest possible invariant that can be expressed by formula over these predicates Abstract System

  43. Abstract Transition? Concretize  Concretize  [P/B] [P/B] [P/B][/S] Predecessor Conventional Implementation of P.A. • Basis • Abstract state sets described as formulas over Boolean variables B = b1, …, bk • Current state given by formula (b1, …, bk) • Check whether candidate state (b1, …, bk) is successor   Abstract System Intersect? Concrete System

  44. Drawbacks of Conventional Implementation Intersect? • Very Slow • Guess at possible next state • Construct term-level formula and test for satisfiability • Possibly 2k calls to decision procedure • Can Only Handle Proposition Predicates • Cannot construct quantified invariants [P/B] [P/B]  [P/B][/S] Satisfiable? [P/B][/S]

  45. All Abstract Transitions (B, S, X) S, X How to reach abstract state B via concrete states S and X Symbolic Approach to P.A. • Lahiri, Bryant, Cook CAV 2003 • Generate Quantified Formula Describing Next Abstract State Set • Current state given by formula (B) • Generate formula (B) describing all successors   Abstract System

  46. Symbolic Approach (cont.) • Transform into Quantified Boolean Formula • Formula of form Next(B) =  S, X(S, X, B) S, X: Integer and function variables B: Abstract state variables • Translate into Boolean formula of form  A(A, B) A: Boolean variables encoding integer & function values • Key Property { B | (S, X, B) satisfiable } = { B | (A, B) satisfiable } • Solve using either SAT enumeration or BDD quantification

  47. Quantified Invariant Generation • User supplies predicates containing free variables • Generate globally quantified invariant • Example • Predicates p1: reg.valid(r) p2: rob.dest(t) = r p3: reg.tag(r) = t • Abstract state satisfying (p1p2p3) corresponds to concrete state satisfying r,t[reg.valid(r) reg.tag(r)=t  rob.dest(t)=r] rather than r[reg.valid(r)] r,t[reg.tag(r)=t] r,t[rob.dest(t)=r]

  48. Systems Verified with Predicate Abstraction • Very general models • Unbounded processes, buffers, cache lines, … • Safety properties only

  49. Challenge: Model Generation • How to generate term-level model • How to guarantee faithfulness to RTL description • Comparison of Models • RTL • Abstracts functional elements from gate-level model • Synthesis allows automatic map to gate level • Bluespec • Abstracts synchronous timing to atomic transactions • Synthesize to RTL by operator scheduling • Term level • Abstracts bit-level data representations to words • Abstracts memories to mutable functions

  50. Term with Scheduler Dimensions of Abstraction • Temporal & Data are Orthogonal Abstractions • Bluespec provides only temporal abstraction • UCLID language supports cycle-level timing • Can incorporate scheduler to model system operating with atomic transactions Temporal Blue Spec RTL Term Gate Data

More Related